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What  is  Security  as  a  System  Property? 


Security  is  concerned  when  an 
Environment  negatively  affects  the 
technical  or  social  system 

Social  system  example: 

Wikileaks  release  of  classified  information 
Technical  system  example:  STUXNET 


One  practical  definition  (there  are  many, 
similar,  others) ; 

security.  In  computing,  the  degree  to 
which  information  is  protected  from 
unauthorized  access,  given  that  authorized 
access  is  not  denied. 


Relationship  between  the  computer/software 
system  and  its  operational  environment 


In  terms  of  computer/software  failures  &  risks: 


■  Security  is  concerned  when  a  failure  leads 
to  severe  consequences  (high  risk)  to  the 
computer  system  itself. 

■  Safety  is  concerned  when  a  failure  leads  to 
severe  consequences  (high  risk)  to  the 
environment. 

■  Reliability  is  concerned  when  failure  does 
not  lead  to  severe  consequences  (high  risk) 
to  the  environment  or  a  computer  system, 
nevertheless  the  failure  rate  is  of  principal 
concern. 


Problem 

We  are  missing  good  (any)  measures  to 
characterize  non-functional  software 
properties  related  to  trustworthiness 
(safety,  security,  dependability,  etc.), 
as  opposed  to  timing  properties, 
for  example:  responsiveness,  timeliness, 
schedulability,  predictability. 


A  suggestion:  Apply  Science. 


“It  is  an  old  saw  that  science  has  three 
pillars:  theory,  experiment,  and  simulation.” 
Glimm  and  Sharp,  Complex  Fluid  Mixing 
Flows:  Simulation  vs.  Theory  vs. 
Experiment.  SIAM  News.  39,  5  (June  2006) 

This  principle  is  broadly  applied  in  physics, 
the  mother  of  modern  sciences,  but  it  has 
been  also  adopted  in  computing. 


How  to  assess  security  (safety  or 
other  trustworthiness  properties) 
before  or  during  the  system’s 
operation  (to  make  predictions)? 

•  Theoretical  Assessment  (analytical 
model). 

•  Actual  Experiments  (measurements). 

•  Simulation  (numerical  calculations). 


Analogy  (if  one  wants  to  understand 
the  concept  better): 

How  to  assess  network’s  properties 
before  it  is  put  into  operation? 

•  Theoretical  Assessment  (queuing 
model) 

•  Actual  Experiments  (measure 
throughput,  latency,  etc.) 

•  Simulation  (numerically  calculate). 


Theoretical  models  of  security  do  exist, 
but  they  are  difficult  to  develop  &  verify. 

We’re  a  long  way  from  establishing  a 
science  of  security  comparable  to  the 
traditional  physical  sciences,  and  even 
from  knowing  whether  such  a  goal  is 
even  achievable. 

Evans  &  Stolfo,  IEEE  Security  &  Privacy, 
May/June  2010) 

http://www.cs.virginia.edu/~evans/ 
pubs/sos201 1  /introduction,  pdf 


*  A  measure  of  a  system  property  is  a 
computable  function  from  the  set  of 
features  into  a  set  of  real  numbers. 

*  Security  threats  are  never  completely 
defined,  thus,  respective  system  property 
to  prevent  security  breaches  is  non- 
measurable. 

Mark  D.  Torgersen,  "Security  Metrics  for  Communication  Systems," 

12th  ICCRTS  Int'l  Command  and  Control  Research  and  Technology 
Symposium,  Newport,  Rl,  June  19-21,  2007 

http://www.dodccrp.org/events/12th_ICCRTS/CD/html/papers/108.pdf 


Our  Approach  to  Theory 

•  Uncertainty  is  built  into  models, 
even  if  data  items  are  missing 

•  Rough  Sets  theory  deals  with  such 
issues 

•  Not  a  subject  of  this  presentation 


Measurement  and  Simulation 

Particular  classes  of  systems 
considered  (relevant  to  military 
applications): 

-  Embedded  Systems 

■  Industrial  Control  Systems 


Generic  Model  of  a  Control  System 
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Generic  Model  of  a  Control  System 
(with  all  applicable  interfaces) 


Network 
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User  interface 


Generic  Model  of  a  Control  System 

(with  all  applicable  interfaces  and  disturbances 
related  to  Threats) 


Network  Disturbances 


Generic  Model  of  a  Control  System 

(with  all  applicable  interfaces  and  disturbances 
related  to  Threats  and  relevant  guards  to  protect  the 
system) 


Network  Disturbances 


Our  Approach  to  Measurements 


•  Take  a  closer  look  at  the  analogy  with 
physical  measurements 

•  Length/distance,  Time,  etc. 

•  Apply  software  tools 

•  Adopt  results  from  safety  assessment 


How  to  Measure  Length? 

Henry  I  is  believed  to 
decree  that  a  yard  should 
be  "the  distance  from 
the  King's  nose  to  the 
end  of  his  outstreched 
thumb."  (source:  NPL) 
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What  Do  We  Need  to  Measure? 
Property  -  length 
Metric  -  meter 
Measure  -  device 
Definition  of  a  metric  (meter). 

The  meter  is  the  length  of  the  path 
traveled  by  light  in  vacuum  during 
time  interval  of  1/299  792  458  of  a 
second. 


Model  of  an  Industrial  Control  System  for  Experiments 
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SCADA  System  Controller  at  Florida  Gulf  Coast  University 


Remote  Unit  of  the  SCADA  Control  System  at  FGCU 


Investigation  of  potential  threats  with  netstat  (TCP) 
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Investigation  of  potential  threats  with  netstat  (UDP) 
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Investigation  of  potential  threats  with  Wireshark 


Investigation  of  potential  threats  with  Metasploit 
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Analogy  with  safety  assessment  for  using 
the  collected  data  to  assess  security 


Our  Approach  to  Simulation 


•  Adopt  acceptable  system  model 

•  Adopt  data  model 

•  Adopt  failure  model 

•  Use  software  tools 


Model  of  an  Embedded  System  for  Simulation  Experiments 


Model  of  an  Embedded  System  for  Simulation  Experiments 
(outlining  interfaces  &  full  analogy  with  the  Generic  Model) 
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Model  of  an  Embedded  System  for  Simulation  Experiments 
-  showing  only  the  communication  interfaces  used 


The  Data  Model:  Specific  Vulnerabilities 

•  Message  Introduction:  an  untrue  SMDC  or  Other 
CACC  message  is  injected. 

•  Message  Deletion:  SMDC  or  Other  CACC 
message  is  not  received  by  the  CACC  system. 

•  Message  Corruption:  the  contents  of  an  SMDC  or 
Other  CACC  message  are  altered  before  being 
received  by  the  CACC  system. 

•  Message  Flooding:  multiple  frequent  SMDC  or 
Other  CACC  messages  are  received  causing  the 
CACC  system  to  choke  and  not  perform  its  required 
tasks  within  the  deadlines. 


The  Failure  Model 

An  essential  assumption  in  this  approach 
and  the  model  we  propose  is  that: 

a  security  breach  may  cause  degradation  of 
system  services  and  ultimately  a  failure. 

Thus,  one  can  try  and  analyze  the  effects  of 
a  security  breach  by  analyzing  (simulating) 
the  system  behavior  in  the  following  states: 

•  normal  state 

•  failure  state 

•  degraded  states. 


Markov  Model  of  a  System  with  Repairs  for  Failure  State 


Results  for  No  Repair  and  Repair  Markov  Model  of  a  System 
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View  Calculation  Results 


ji  Markov  Results 

Steady  State  Results: 

Value  Resit 

AvaiaMty  I 


Resits  at  tune  1000.000000: 
Value  Resit 

0.999999I  [AvaieMtY 
ReiaMty 


Excel 


Si  Pmt... 


0.999949 

0.950613 


Ttne 

AvaiaMty 

ReiaMty 

0 

1.000000 

1.000000 

100.00 

0.999999 

0.999993 

200.00 

0.999999 

0,989961 

300.00 

0.999999 

0.9S99SS 

900.00 

0.9999*9 

0.979974 

S00.00 

0.999999 

0.975019 

600.00 

0.999999 

0.970088 

700.00 

0.999999 

0.965182 

800.00 

0.999999 

0.96030! 

900.00 

0.999999 

0.955445 

1000.00 

0.999999 

0.950613 

Close 


DC 


net 


No  repairs,  availability  0.9459  Repair  rate  0.9,  availability  0.9999 


Relex  Markov  modeling  tool:  http://www.ptc.com/products/windchill/markov 


Conclusion 

•  Assessment  of  operational  security 
requires  a  multi-faceted  approach 

•  Research  on  security  assessment  is 
pursued  in  three  directions: 

-  theory,  experiment  &  simulation 

•  Analogies  with  physical  sciences  and 
other  trustworthiness  properties  are 
essential 

•  Future  work  planned  to  be  extended 
towards  threat  modeling 


